Posted
by
samzenpus
on Thursday March 31, 2011 @02:09AM
from the super-secret-admirer dept.

An anonymous reader writes "Creepy, a package described as a 'geolocation information aggregator,' is turning heads in privacy circles, but should people be worried? Yiannis Kakavas explains why he developed his scary stalking application. Creepy is a software package for Linux or Windows — with a Mac OS X port in the works — that aims to gather public information on a targeted individual via social networking services in order to pinpoint their location. It's remarkably efficient at its job, even in its current early form, and certainly lives up to its name when you see it in use for the first time."

I do like the idea however. The average person is stupid beyond belief. It usually takes something like this to shake them up enough to understand the dangers of social network and sharing this much data that is publicly available.

So... just how accurate can that be if it works on geolocation? As it happens I do not use a single one of those services. I have a facebook account so I can find out how my friends are doing (and let them all know about major events in my life, not what I had for breakfast or what thought passed through my brain as I stared idly off into space) and that's it. I guess I'm invisible to this guy, woohoo!

How many people leave the GPS on their phone turned on all the time? If nothing else it burns the batteries faster. My phone's a two-year-old model, so maybe newfangled ones are different, but mine only knows where it is when you fire up a mapping application, wait 30+ seconds, cuss at it, and hold it near a window in clear line of sight of the sky.

What exact harm is going to come to me? Do we really live in such a dangerous world?

Yes. We really do.

I am going to make an assumption that you live in a 1st world country. So I can understand how you may not perceive the dangers getting your coffee from Starbucks everyday, going to work, eating your processed food, and then watching a few hours of television. Of course that was another assumption too, and not meant to denigrate you without cause.

On the whole though, the world is, in fact, a very dangerous place. Ask people in Libya, Syria, Israel, Saudi Arabia, Afghanistan, Pick-a-Sta

As opposed to just going "Welp, someone ELSE better look through that code!", I decided to. I'm not going to claim I'm a security or python expert, but I know the latter decently enough to feel safe in saying... ain't nothing there but what it says on the tin.

I appluad you for the initiative, but people can do very very sneaky stuff in code, so your IANAS/PE pretty much means that if the author was anywhere half competent and wanted to do something Evil(tm) he could probably sneak it past you

Which is part of my problem with the idea that open source means it is automagically safe, i know i wouldnt be able to tell if some hardcore C-lib does something less then savory without spending a disjointed amount of time on the needed code-review. You basically assume som

Anyone instantly worried that installing this software in your own machine might also make any data on that machine available for stalking?
It somehow doesnt seem like a good idea to me to trust a programmer proficient at this kind of this without a very very thorough code review first

Knock yourself out. The source code is available from the project page:

Well, that or just stick it in a VM. Since running Windows (especially) in a VM I don't care any more about that sort of thing. (Every now and then I just delete it and restore from a cleanish one to be on the safe side.)

Then you're not paranoid enough. How do you know creepy isn't sending a packet to a creepy server somewhere, so he can do a reverse geolocate on your IP address? Creepy is already performing that exact function with IP addresses from twitter postings, so you know he certainly could.

Everything is encapsulated in a VM, both in and out. It's been my solution to being able to browse gay porn and not worry about my wife finding it in my browser history, so it should be good enough for running this kind of program.

That makes no sense.

If you're married with a wife...why the fuck would you want to look at gay pr0n???

I mean, I can understand a man getting tired of the same pussy after a few years, but that's no call for switching 'teams'....!!

So, the eula's take everything you post on these services (since you agreed to it), make apps to release the info (that you agreed to release) and this guy is a social phenomena for making a program to track what users freely gave up to join the sites in question?

A) Be horrified by the privacy implications of putting all this personal information on the internet, of our own free willorB) Laugh at the people who chose A, and smugly congratulate ourselves for not having done so.

It's also supposed to make people more aware of the kind of information they're giving away. Most people just don't think about that sort of thing. Sharing with friends is fun. They have no idea that they're sharing the exact same data (and even more; who even knows about exif data?) with the entire world. And the world does include some very creepy people.

Yes, I'll grant you that. However, most people simply don't care. They're apathetic about privacy issues, and I'm apathetic about baby pictures. So, they use social media and I don't. You could make a good argument that they don't understand the scope or consequences of these privacy invasions, but I've given up on trying to change the minds of compulsive sharers. It's like trying to explain to a compulsive hoarder why anyone would ever want to purchase digital media. It's an alien concept, and you're

Sure, they don't care now. The point of Creepy is to maybe put a dent in the apathy. If a proper news source were to pick this up under the banner of "A stalker could be after your kids using this app!", people might start to care.

Sure, they don't care now. The point of Creepy is to maybe put a dent in the apathy. If a proper news source were to pick this up under the banner of "A stalker could be after your kids using this app!", people might start to care.

Oh please no. Because once that happens, the politicians will get involved. And nothing good can ever come of that.

Privacy situations are in the running for the defining issue of this upcoming decade. Call the previous few years a "warmup" phase.

Apps like this go for the "wait, what?" factor. Say you're my "friend" on Facebook, and you post your address, maybe in a "News from Oak St Dayton Ohio" kind of a feed, etc.

So then someone goes a little over the top and just cruises up on a Saturday with Lasagna and starts setting lunch on your table. Cue shocked outrage. "But you're my friend, and you don't care about me knowin

Alternately, if I post a photo of my location on a public site like Flickr set for the world to see, maybe I (gasp!) don't mind that people know where I took it? Especially since the caption is often similar to, "Look, great tulips at the Dallas Arboretum sunken garden this weekend" anyway?

[T]he world does include some very creepy people

The world also includes some very normal people who either don't mind if other folk know where they are, or are smart enough not to post photos of their activity to Flickr during times when they want a little privacy. I

The world also includes some very normal people who either don't mind if other folk know where they are, or are smart enough not to post photos of their activity to Flickr during times when they want a little privacy.

"Usually it works out fine" is not a great counter to "it can go very wrong". I mean, look at nuclear power plants. The fact that most don't melt down doesn't mean that safety is not a concern.

If you publish your whereabouts on public streams of social networks, it is publically available. Even the biggest idiot on the internet will grasp that. Has anyone ever thought about the fact that people who check in to a location on Foursquare, post pictures of themselves at that location on Flickr and mention that location on Twitter might actually want the world to know where they are?

They want their FRIENDS typically to know where they are (or, for bragging rights, have been); usually not realising the other potential uses of such information, and how much it reveals about them for outsiders. They don't realise it also reveals where they live, where they work, and when they're usually not at home.

They want their FRIENDS typically to know where they are (or, for bragging rights, have been); usually not realising the other potential uses of such information, and how much it reveals about them for outsiders. They don't realise it also reveals where they live, where they work, and when they're usually not at home.

Let's see. My workplace is fairly easy to find if you know me. My home ownership is public record (on the county tax rolls) and while I might own an investment house and live elsewhere... I don't. Neither do most other people who own only one house. Heck, for most people their current address is in the phone book anyway. Since I have a white collar job I'm generally, but not always, at work during normal business hours.

It would mean, after all, that a burglar would be targeting specific individuals, and research that specific location before making their move (and finding out they have proper locks and bolts). I can imagine that happening for specific high-profile targets; not for Joe Sixpack.

Many burglars are opportunists. Targeting houses where they suspect the owners are not at home that day (e.g. by walking by a few times and noticing lights off all evening and no c

It wouldn't surprise me if this could be automated. Check who is suddenly submitting photos from hundreds of km away from where they usually submit their photos, and you've got a nice list of potential candidates. If people are away, they can still return at any time. But when you know they're far away, you know you've got time.

Don't you remember PleaseRobMe.com from a year or so ago? It published a list of addresses of people who were tweeting or foursquaring that they weren't at home. It was written to point out this exact same flaw in people who like to post about places they are and places they aren't.

Finally, a person who gets it! I mean reall, eh? It's not like some random weirdo is going to stalk you, or show up in the middle of the night to murder you, skin your face, and then jerk off on your corpse. It's corporations who do that kind of stuff!

If he (or someone else) went one more step and had live feeds of politicians' locations, boom: Terrorist. Though I think such feeds for the top 50 wealthiest CEOs would be more interesting and satisfying.

I don't know that this really does much you can't do fairly easily already. So if you have someone's name and city, there is a good chance you can locate them. Why? All kinds of things in the public record you could look up. Own a house? Then there's a record of that publicly available. Phone numbers are normally listed (though with the increase in cell phones that is less common).

What it comes down to is that in a modern society, we are going back to how it was in older, smaller societies: You can have privacy, but you cannot have anonymity, at least not without a good deal of trouble and sacrifice.

So back in the day, with much smaller communities and so on you had an "everyone knows everyone" situation. Not literally, but people were known to a substantial part of the town. As such it was just not possible to be anonymous. Your comings and goings were noticed. Where you lived was known, that kind of thing. If you moved to a new place, again you've be noticed. Short of going and living a very solitary life, you couldn't be anonymous.

Now privacy you could have, easily. If you wanted a private conversation, just walk out in a field where nobody was within earshot. In your house you had almost complete certainty nobody could spy since there was no advanced technology. What you did you could keep private to a large degree. That you were around doing things you could not.

As things grew anonymity became more and more possible. You could just disappear in a large city, go about your business but be unknown and invisible to most everyone.

Well, that is changing back again. Technology is making it such that anonymity is going away. It is just very difficult to make yourself unknowable. Privacy is certainly possible, and the Supreme Court has ruled it is a right and thus the government is required to respect it. However anonymity is pretty hard.

So that an app can find where you live fairly easily isn't surprising at all to me. There's just a lot of public documents on you, and the Internet makes it easy to search them. The information you choose to provide on social network sites makes it even easier.

It is just kinda something we have to accept, unless we want to radically alter how society works.

Also we need to understand that anonymity and privacy are not the same thing. Too many people conflate the two. They think a right to privacy means the right to be totally unknown. Not the case. It means the right to have the specifics of your life secret, not that you are living your life a secret.

What you do in your house is your private business. That you are in your house it not private. You neighbours can watch you come home and leave, and know when you are there. That is 100% legal and ethical. You will not be anonymous. However they can't go and spy on you and see what you are doing. You can still be private.

Yes, I would also like more people to make this distinction. However, I think anonymity is more important than privacy. Either one is enough. With privacy, I can do what I want and noone will know. With anonymity people will know, but it won't matter since they won't know who I am. So the question becomes which one we will be able to rely on in the future. How easy is it for one to have privacy or anonymity?

With email providers and facebook handing out user data left and right, it's easy to know what a pers

You are forgetting decades worth of spending activity that the government / 3rd party can sift through and find patterns.

They may not be able to use those patterns to directly track you down digitally, but they can begin to figure out how you think when it comes to purchasing, food, supplies, gadgets, etc.

You also are forgetting misdirection... you need to make sure you start preparing your social circle for the fact that you will be out of contact / travelling for a while, as to not raise much suspicion.

If I wanted to become anonymous, though, all I would need to do is leave my cellphone at home and only use cash.

It'll take a lot more than that, I'm afraid.

There was a kind of cheesy show on cable a few months back on "dropping off the grid". Some guy (not a security expert but he played one on TV) showed some of the steps the writers thought you'd need to take to make it harder to find you. Cash, pay phones, name changing, picking an appropriately sized city (not so big that they have 2,000 cameras per square mile, and not so small that everyone knows everyone else,) a new menial job as a night janitor, avoiding s

While it's hard to put this into a formal definition, there's a different between random observation in public and systemic surveillance. If you had a person that stayed two steps behind you everywhere you went and noticed everything you put in your grocery basket, took notes at the pub how many beers you were drinking, followed you home and knew where you slept and if you brought anyone with you home, most people would be seriously creeped out even though technically it all happens "in public". I'm not so worried about someone actually doing that, maybe you could if you put a whole team of undercover detectives on me but it's not practical to do on any scale.

With technology though the rules change. It becomes very possible to track everyone, all the time with relatively little manpower. Like the EU data retention directive that requires the location of all cell phone traffic be stored for 6-24 months. For a smart phone that checks for mail etc. in the background that's practically 24x7 surveillance, like we've all been radio tagged. For public transport they're pushing for electronic tickets, for private transport there's electronic toll road readers - it's not impossible to travel anonymously, just very impractical. Unless you want to fly, in which case it is impossible.

Same goes with money, they're fighting harder and harder for everyone to use electronic money. If I pay anyone over 1800$ in cash here in Norway, I can be held as an accessory to their tax fraud. What happens is that they don't wrap in surveillance, it's not some extra papers you fill in to have it logged. It's wrapped in convenience - online banks are so much simpler than the way we did before, oh and we keep a copy of all the records too. Same with cell phones, great invention. Oh and it also doubles as your tracking device. If I locked it around your ancle you'd protest, but if I can make 95%+ use it voluntarily 95%+ of the time, we can go after those "must have something to hide" people.

I generally agree with you, but I think this part of TFA is interesting:

While the location of an individual tweet might not reveal much, visualising a user's history on a map reveals clusters around their home, their workplace, and the areas they hang out.

This is a bit more than public records about houses and phone numbers - I'd say it is closer to the "everyone knows everyone" situation, where the better part of a town would know what bar you could find John in after work.

You distinguish privacy and anonymity, but your definition of anonymity seems flawed. When I run around in a city, my anonymity is still largely maintained: a stranger really has no means to identify my, even the police will have difficulties if I don't volunteer the information (say, by showing them my ID card which are issued to everyone here, but that's beside the point). Because I am anonymous to them, strangers have no shortcuts to getting more information on me, e.g. they can't use the app from TFA to

"I don't know that this really does much you can't do fairly easily already."

That is true for most things. It is easy to commit most crimes and get away with it if you know how. The lucky break we have is that most criminals are absolute idiots or at least so drugged out of their skull that they only go for the easiest of options and often fail even at that. If they weren't idiots, they'd realise that if you are clever enough to make a real mint out of crime without getting caught, you are probably clever e

Yes, but by putting RYAN SEACREAST in the tool I was able to pinpoint roughly 4 hotspots on a map in Hollywood where he sends twitters. You need to consider the geolocation feature of this tool and how easy it was to pull up a map. Most people I know don't bother with twitter but if you are high profile, you should be concerned about this. If a stalker, possibly one with bad intentions (you kicked off my favorite star!!) were to keep on eye on the coffeehouse you visit regularly, he might find it easy to ma

A link to the actual site for the program: http://ilektrojohn.github.com/creepy/ [github.com]. Also, this program has copyright notices for 2010. So... (Though admittedly the article is dated 30 March 2011.)

Anyway, yeah, the program is written in Python it seems. And it doesn't even run for me.Possibly because some dependencies aren't in the Ubuntu 9.10 universe. Bleh.

Anyway, I just wanted to say one other thing. I ain't worried, 'cause I don't use Social Networks! Hah! You crazy stalking types are going to have to try harder to find out about me than that. (Please help, I have no friends.)

OK, that username was actually picked because it was the name of the machine I was using when I registered on Slashdot, but that doesn't mean I don't have creepy tendencies (incidentally, that machine was bought on halloween and the 3 hard disks it had were Creepy, Spooky, and Spectral).

Why are people saying this is a privacy issue? It's not. It uses publicly available information that the person freely posts online for the general public to read. Its like saying articles posted in the New York Times is private information of the authors who write for it. This program dosen't even do anything cool like make HTTP requests from state / city govermently run publicly available data.

There are all ready existing applications out there that have all the features this software has and much much more.

It is a privacy issue. Many people aren't aware that they are leaking location data, and more aren't aware of the wider implications. And while there are certainly utilities to read a JPEGs exif geodata and access the other services his utility talks to, I don't think there a single tool that does all of it. And this is meant to be user-friendly: dedicated individuals could steal Facebook (etc.) sessions forever, but it took a program like Firesheep to get some public awareness. That's what this is about.

Yes, so can Picasa/PicasaWeb. Flickr does it, too. (On a sidenote: Does Flickr strip the GPS exif tags from the original photos if you enable the geo privacy setting?) For most computer users, doing this manually -- even if they are aware that importing it into iPhoto is enough -- would still involve individually downloading dozens if not hundreds of photos. This app does it by itself, aggregating from several sources (and not just jpeg exifs). Still needs to support more data sources, though -- no Facebook

It is a privacy issue. Many people aren't aware that they are leaking location data, and more aren't aware of the wider implications. And while there are certainly utilities to read a JPEGs exif geodata and access the other services his utility talks to, I don't think there a single tool that does all of it. And this is meant to be user-friendly: dedicated individuals could steal Facebook (etc.) sessions forever, but it took a program like Firesheep to get some public awareness. That's what this is about.

So this isn't a privacy issue but a public awareness issue? Or is it a public awareness issue about a privacy issue? I'm pretty sure it's an issue, and I don't think it is a privacy issue about a public awareness issue. I'm so confused.

The problem is the devices. In the case of EXIF data, no phone should ever embed location data into an image without you knowledgeably opting in to that level of sharing. You shouldn't have to be trained in image metadata to use a phone. It's not your job to turn it off. It's the phone designer's job.

Or, since that has clearly failed, it's the role of public policy to set clear, stable boundaries on what hardware and software makers can and can't do with end user's information. The end user will never be aw

Such apps will create the necessary awareness of the dangers of putting too much info online. It'll put a stop to the stupid attitude of "If you have nothing to hide, you have nothing to fear".

It's no longer just the government that's looking into your affairs. It's also the neighbor, your aunt in Australia and your colleagues. And with these kinds of apps they can suddenly dig up a lot more dirt. Dirt which was available all along.

Why'd someone worry about these people? Up a notch: Your wife's ex. That bully from high school that loved to beat you up. Or just someone you had a flamewar with and told you "if I ever find you, I'll rip you a new one".

This guy got it all wrong. He didn't make a creepy geolocation aggregator; he made an "advanced geolocation forensics tool for use in the intelligence community". Had he labeled it properly and been more greedy, he could be laughing all the way to the bank! He definitely could have taken a page out of the Hoglund/Barr book here.

Would it really be that hard for flickr etc. to strip out the metadata from the uploaded photos, then allowing the users to opt-in if they want to leave the data in place? There could even be an "advanced" setting to allow users to pick and choose (date OK, camera OK, location NO). (They may already have this, didn't check.)

What the FBI/CIA/NSA have that does the same thing?Why Goldman Sachs thinks Facebook is worth 50 billion?Why people join and participate in Facebook willing giving up their info for others to profit by?

So trying to find out whether my network is secure is "plausible" but trying to find out whether too much information about me is floating around the internet and that I want to prepare for the fallout is not?

So trying to find out whether my network is secure is "plausible" but trying to find out whether too much information about me is floating around the internet and that I want to prepare for the fallout is not?

Yes. A jury could be led to conclude that the first is much more plausible than the second.

A weapon is just as responsible as the person using it -- its sole purpose is to harm, and that is all it does. If you want to defend yourself, learn to run fast or something.

Run fast? Brilliant! Do you have a newsletter, your solutions are fantastic! I can't help but think they can be applied to a broader spectrum of worldwide issues. Just think of where the late Libyan protesters might be had your insight been available to them.

He's right in one way: Wanting a gun for "defense" is quite a lot of bull. I haven't seen a single person hitting a bullet aimed for him in my lifetime. That would be using it for "defense". Shooting someone in "defense" isn't defending. It's preempting a possible attack.

Any reasonable definition of self defense (legal or otherwise) means exactly what you are saying it does not [reference.com]. Even if your definition of defense were correct, guns in general (which was the original statement) are not the act of shooting people , much the same way as a bodyguard is not the same as having people beaten. The utility of guns and bodyguards come more from their threat of reprisal than the actual usage of them.